NDR: Deploying a Virtual Sensor in OCI

Notice

• This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.

•  

  Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.

•  

  Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.

OCI Modular Sensor Deployment

CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. 

Site Preparation

• Refer to Modular Sensor Specifications section for details on the resources required to run different combinations of features in a Modular Sensor Profile. Provision your modular sensor according to the features that you plan on enabling.
• You will also need to open firewall ports for the features you plan on enabling in the Modular Sensor Profile for this sensor.
• This topic also describes how to configure a VTAP in OCI to direct data to a load balancer monitored by the Modular Sensor.

Downloading Images

You can download the images for modular sensors using the link below.

• Download the modular sensor image from the following URL: aella-modular-ds-5.1.1.qcow2

Installing the Modular Sensor Image

1. Log in to Oracle Cloud Console at https://cloud.oracle.com/ .
2. Click the main menu icon at the top left of the Oracle Cloud Console.

3. If you do not already have a bucket for the Modular Sensor, navigate to Storage | Buckets.

4. Click Create Bucket to add a new bucket. Select the Standard storage tier, supply a name, and click Create to add the bucket to your account.

5. Click the entry for the bucket you just created. Then, use the Upload button to upload the aella-modular-ds-4.3.x.qcow2 image you received in the downloading images section. The Choose Files from your Computer field lets you either drag and drop the file or select the file in a standard Browse dialog box.

6. Click the main menu icon and navigate to Compute | Custom Images.

7. Click the Import image button and fill out the Import image dialog box as follows:
   • Supply a Name.
   • Use the Bucket field to select the bucket where you uploaded the image at the start of this procedure.
   • Use the Object name field to select the aella-modular-ds-5.1.1.qcow2 image.
   • Set the Operating system to Ubuntu.
   • Set the Image type field to QCOW2
   • Leave Launch mode set to Paravirtualized mode.
   • The figure below provides an example of the settings:

8. When you have finished configuring the settings in the Import image dialog box, click the Import image button to start the import process.
   1. The Custom image details page appears for the image while it imports. When the image has finished importing, it appears with a value of Succeeded in the State column, as shown below.

9. Once the image has finished importing, click the Create instance command to create a new instance based on the image. Set the options in the Create compute instance dialog box as follows:
   • Supply an easily identifiable Name for the new instance.
   • Choose the compartment and availability domain for the new instance. Make sure you choose the availability domain where you want to receive traffic.
   • Leave Image set to stellar-modular-ds-5.1.x.
   • The Shape field lets you select from VMs with a variety of different provisioning. Choose a shape that corresponds to the resources required by the features to be enabled in this sensor's Sensor Profile.
     • You can customize the CPUs and memory for many of the available shapes by clicking Change shape and adjusting as necessary. For example, we know we want to enable the Log Collector, Log Forward, and Network Traffic features, so we've chosen the VM.Standard.E4.Flex shape and adjusted its settings to the minimum values of 4 CPUs and 6 GB of memory.

• Use the Networking options to select the Primary network and Subnet for the sensor's management interface.
• In most cases, you'll want to Assign a public IPv4 address to the management interface. This lets you manage the sensor from a DP located outside the OCI public cloud.
• Use the Add SSH keys options to decide how you want to connect to the sensor using SSH. We are letting OCI generate a key pair for us and saving the resulting private key locally.
• You can leave the other options set to their defaults.
• The figure below shows our settings so far.

10. When you are satisfied with your settings, click Create to create the instance.
    1. OCI begins to create the instance, tracking its progress in the Instance details | Work requests display. Once the State shown in the Work requests table shows Succeeded, as illustrated in the example below, you are ready to add a second VNIC to be used as a monitoring interface. See below.